The recent surge in cybercrime incidents in Sri Lanka has exposed glaring vulnerabilities in the country’s digital security infrastructure. With scams targeting both individuals and institutions on the rise, it is evident that the nation’s approach to cybersecurity needs significant reform.
The arrest of over 200 foreign nationals suspected of involvement in financial scams in Sri Lanka this year, including a raid that led to the apprehension of 120 Chinese nationals in Kundasale, underscores the urgent need for action.
Yet, despite a growing awareness of these threats, experts argue that Sri Lanka’s legal and institutional framework still lacks the robustness necessary to effectively combat these sophisticated crimes.
Commenting on efforts by the Police to combat online scams, Police Spokesman DIG Nihal Thalduwa stated that the Police was acting in accordance with the existing laws. However, he acknowledged that given the nature of these scams, the current legal framework appeared inadequate. While conceding that there was a need to strengthen the existing laws, he noted that the matter had not been discussed in depth yet.
The rise of online scams
Over the past few years, online scams have grown increasingly prevalent in Sri Lanka, with cybercriminals exploiting social media platforms, online marketplaces, and even established financial institutions to defraud unsuspecting victims. The recent wave of arrests highlights how extensive the problem has become, with foreign syndicates operating within Sri Lanka’s borders.
Notably, multiple raids in areas like Negombo, Nawala, and Panadura have uncovered elaborate networks of online gambling operations and phishing scams. The scale of the problem is daunting, with more than 260 electronic devices, including computers and mobile phones, seized during these operations.
The scams often lure victims through fake websites, fraudulent investment schemes, and counterfeit social media profiles. For instance, some victims are enticed with promises of financial rewards in return for seemingly innocuous tasks such as engaging with social media content. However, once the money is transferred, the perpetrators disappear without a trace.
These scams not only affect individual consumers but also have broader implications for the nation’s economic and digital security.
Current laws
While Sri Lanka does have legal provisions to address cybercrime, such as the Computer Crimes Act of 2007, experts such as Information Systems Audit and Control Association (ISACA) Sri Lanka Chapter President Lakmal Embuldeniya argue that the existing laws are not being effectively enforced.
The Computer Crimes Act addresses three main areas: unauthorised access to computer systems, modification of computer data, and the use of computers for illegal activities. Yet, despite these provisions, a lack of skilled personnel in law enforcement and the Judiciary poses significant challenges.
“The misconception is that we don’t have enough laws to tackle these crimes, but the real issue is a lack of enforcement,” said Embuldeniya. He explained that while laws such as the Intellectual Property Act could be used to address issues like website duplication and unauthorised use of logos, law enforcement agencies struggled due to a shortage of cybercrime experts.
“The Police and the Criminal Investigation Department (CID) lack trained personnel who understand the intricacies of both the Computer Crimes Act and intellectual property laws,” he added.
Further complicating matters is the frequent migration of senior cybersecurity professionals, especially following the Covid-19 pandemic. With around 30-40% of experienced practitioners leaving the country, the talent pool has significantly diminished, leaving gaps in both the private and public sectors.
Cyber Security Bill
The impending Cyber Security Bill is expected to address some of these issues by establishing the Cyber Security Regulatory Authority of Sri Lanka (CSRASL). The CSRASL is envisioned as the primary institution overseeing civilian aspects of cybersecurity, tasked with implementing policies and safeguarding critical national information infrastructure.
However, some IT experts have expressed concerns about the draft bill’s references to the Defence Cyber Command Act, indicating a potentially disproportionate focus on national defence at the expense of civilian oversight and protections.
Critics argue that while the bill emphasises coordination with the Defence Cyber Command, it lacks clarity on how the CSRASL will be held accountable for protecting individual rights and regulating private sector compliance.
Additionally, some sections of the bill appear more concerned with maintaining the status quo than introducing sweeping reforms, with certain clauses prioritising the retention of employees of existing cybersecurity bodies over hiring new talent with specialised skills.
“The new Cyber Security Bill is a step forward, but it’s not enough to address the root causes of our cybersecurity shortcomings,” said a senior IT consultant who wished to remain anonymous. “The focus should be on building capabilities and forging direct links with global internet giants like Google, Facebook, and Amazon Web Services (AWS) to facilitate the prompt removal of harmful content and the shutting down of scam websites.”
Weaknesses in network security
Another critical issue is the inadequate state of network security across both Government and private institutions. Sri Lanka’s banking sector has seen repeated attempts at cyberattacks, with scammers frequently targeting financial institutions. Even some Government websites have fallen victim to attacks due to outdated security measures.
Embuldeniya pointed out that directives from the Central Bank of Sri Lanka (CBSL) had pushed banks to bolster their information security defences, leading to a hiring spree for cybersecurity roles. However, this has also meant that many skilled individuals are now occupied with their day jobs, leaving little room for them to contribute to broader security efforts outside of their primary responsibilities.
“We have a situation where the experts we do have are overburdened, and there is no system in place for institutions to share knowledge or work together on cybersecurity threats,” he remarked.
Addressing the talent shortage
To tackle the talent shortage, there must be a concerted effort to improve training and development in cybersecurity. Academic institutions and professional organisations need to collaborate on initiatives to produce more skilled graduates in this field. Partnerships with international cybersecurity bodies could also facilitate knowledge transfer and help to create a more resilient digital ecosystem in Sri Lanka.
Additionally, incentivising experienced professionals to remain in the country through tax benefits or career advancement opportunities could slow the migration of skilled workers. Establishing cyber hubs in partnership with universities could encourage research and development in this field, helping Sri Lanka stay ahead of emerging threats.